Sign MacroAssembler::jumpsToLink

https://bugs.webkit.org/show_bug.cgi?id=217774
<rdar://problem/69433058>

Reviewed by Saam Barati.

Source/JavaScriptCore:

* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::LinkRecord::LinkRecord):
(JSC::ARM64Assembler::LinkRecord::setFrom):
(JSC::ARM64Assembler::LinkRecord::to const):
(JSC::ARM64Assembler::linkJump):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):

Source/WTF:

* wtf/PtrTag.h:
(WTF::untagInt):
(WTF::tagInt):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@269020 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,19 @@
+2020-10-15  Tadeu Zagallo  <[email protected]>
+
+        Sign MacroAssembler::jumpsToLink
+        https://bugs.webkit.org/show_bug.cgi?id=217774
+        <rdar://problem/69433058>
+
+        Reviewed by Saam Barati.
+
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::LinkRecord::LinkRecord):
+        (JSC::ARM64Assembler::LinkRecord::setFrom):
+        (JSC::ARM64Assembler::LinkRecord::to const):
+        (JSC::ARM64Assembler::linkJump):
+        * assembler/LinkBuffer.cpp:
+        (JSC::LinkBuffer::copyCompactAndLinkCode):
+
 2020-10-15  Tadeu Zagallo  <[email protected]>
 
         Validate addresses returned by LinkBuffer::locationOf

Source/JavaScriptCore/assembler/ARM64Assembler.h

@@ -340,28 +340,43 @@ class ARM64Assembler {
 
     class LinkRecord {
     public:
-        LinkRecord(intptr_t from, intptr_t to, JumpType type, Condition condition)
+        LinkRecord(const ARM64Assembler* assembler, intptr_t from, intptr_t to, JumpType type, Condition condition)
         {
             data.realTypes.m_from = from;
+#if CPU(ARM64E)
+            data.realTypes.m_to = tagInt(to, static_cast<PtrTag>(from ^ bitwise_cast<intptr_t>(assembler)));
+#else
+            UNUSED_PARAM(assembler);
             data.realTypes.m_to = to;
+#endif
             data.realTypes.m_type = type;
             data.realTypes.m_linkType = LinkInvalid;
             data.realTypes.m_condition = condition;
         }
-        LinkRecord(intptr_t from, intptr_t to, JumpType type, Condition condition, bool is64Bit, RegisterID compareRegister)
+        LinkRecord(const ARM64Assembler* assembler, intptr_t from, intptr_t to, JumpType type, Condition condition, bool is64Bit, RegisterID compareRegister)
         {
             data.realTypes.m_from = from;
+#if CPU(ARM64E)
+            data.realTypes.m_to = tagInt(to, static_cast<PtrTag>(from ^ bitwise_cast<intptr_t>(assembler)));
+#else
+            UNUSED_PARAM(assembler);
             data.realTypes.m_to = to;
+#endif
             data.realTypes.m_type = type;
             data.realTypes.m_linkType = LinkInvalid;
             data.realTypes.m_condition = condition;
             data.realTypes.m_is64Bit = is64Bit;
             data.realTypes.m_compareRegister = compareRegister;
         }
-        LinkRecord(intptr_t from, intptr_t to, JumpType type, Condition condition, unsigned bitNumber, RegisterID compareRegister)
+        LinkRecord(const ARM64Assembler* assembler, intptr_t from, intptr_t to, JumpType type, Condition condition, unsigned bitNumber, RegisterID compareRegister)
         {
             data.realTypes.m_from = from;
+#if CPU(ARM64E)
+            data.realTypes.m_to = tagInt(to, static_cast<PtrTag>(from ^ bitwise_cast<intptr_t>(assembler)));
+#else
+            UNUSED_PARAM(assembler);
             data.realTypes.m_to = to;
+#endif
             data.realTypes.m_type = type;
             data.realTypes.m_linkType = LinkInvalid;
             data.realTypes.m_condition = condition;
@@ -378,8 +393,24 @@ class ARM64Assembler {
             return *this;
         }
         intptr_t from() const { return data.realTypes.m_from; }
-        void setFrom(intptr_t from) { data.realTypes.m_from = from; }
-        intptr_t to() const { return data.realTypes.m_to; }
+        void setFrom(const ARM64Assembler* assembler, intptr_t from)
+        {
+#if CPU(ARM64E)
+            data.realTypes.m_to = tagInt(to(assembler), static_cast<PtrTag>(from ^ bitwise_cast<intptr_t>(assembler)));
+#else
+            UNUSED_PARAM(assembler);
+#endif
+            data.realTypes.m_from = from;
+        }
+        intptr_t to(const ARM64Assembler* assembler) const
+        {
+#if CPU(ARM64E)
+            return untagInt(data.realTypes.m_to, static_cast<PtrTag>(data.realTypes.m_from ^ bitwise_cast<intptr_t>(assembler)));
+#else
+            UNUSED_PARAM(assembler);
+            return data.realTypes.m_to;
+#endif
+        }
         JumpType type() const { return data.realTypes.m_type; }
         JumpLinkType linkType() const { return data.realTypes.m_linkType; }
         void setLinkType(JumpLinkType linkType) { ASSERT(data.realTypes.m_linkType == LinkInvalid); data.realTypes.m_linkType = linkType; }
@@ -2526,21 +2557,21 @@ class ARM64Assembler {
     {
         ASSERT(to.isSet());
         ASSERT(from.isSet());
-        m_jumpsToLink.append(LinkRecord(from.m_offset, to.m_offset, type, condition));
+        m_jumpsToLink.append(LinkRecord(this, from.m_offset, to.m_offset, type, condition));
     }
 
     void linkJump(AssemblerLabel from, AssemblerLabel to, JumpType type, Condition condition, bool is64Bit, RegisterID compareRegister)
     {
         ASSERT(to.isSet());
         ASSERT(from.isSet());
-        m_jumpsToLink.append(LinkRecord(from.m_offset, to.m_offset, type, condition, is64Bit, compareRegister));
+        m_jumpsToLink.append(LinkRecord(this, from.m_offset, to.m_offset, type, condition, is64Bit, compareRegister));
     }
 
     void linkJump(AssemblerLabel from, AssemblerLabel to, JumpType type, Condition condition, unsigned bitNumber, RegisterID compareRegister)
     {
         ASSERT(to.isSet());
         ASSERT(from.isSet());
-        m_jumpsToLink.append(LinkRecord(from.m_offset, to.m_offset, type, condition, bitNumber, compareRegister));
+        m_jumpsToLink.append(LinkRecord(this, from.m_offset, to.m_offset, type, condition, bitNumber, compareRegister));
     }
 
     static void linkJump(void* code, AssemblerLabel from, void* to)

Source/JavaScriptCore/assembler/LinkBuffer.cpp

@@ -292,10 +292,15 @@ void LinkBuffer::copyCompactAndLinkCode(MacroAssembler& macroAssembler, JITCompi
             // Calculate absolute address of the jump target, in the case of backwards
             // branches we need to be precise, forward branches we are pessimistic
             const uint8_t* target;
-            if (jumpsToLink[i].to() >= jumpsToLink[i].from())
-                target = codeOutData + jumpsToLink[i].to() - offset; // Compensate for what we have collapsed so far
+#if CPU(ARM64)
+            const intptr_t to = jumpsToLink[i].to(&macroAssembler.m_assembler);
+#else
+            const intptr_t to = jumpsToLink[i].to();
+#endif
+            if (to >= jumpsToLink[i].from())
+                target = codeOutData + to - offset; // Compensate for what we have collapsed so far
             else
-                target = codeOutData + jumpsToLink[i].to() - executableOffsetFor(jumpsToLink[i].to());
+                target = codeOutData + to - executableOffsetFor(to);
 
             JumpLinkType jumpLinkType = MacroAssembler::computeJumpType(jumpsToLink[i], codeOutData + writePtr, target);
             // Compact branch if we can...
@@ -307,7 +312,11 @@ void LinkBuffer::copyCompactAndLinkCode(MacroAssembler& macroAssembler, JITCompi
                     recordLinkOffsets(m_assemblerStorage, jumpsToLink[i].from() - delta, readPtr, readPtr - writePtr);
                 }
             }
+#if CPU(ARM64)
+            jumpsToLink[i].setFrom(&macroAssembler.m_assembler, writePtr);
+#else
             jumpsToLink[i].setFrom(writePtr);
+#endif
         }
     } else {
         if (ASSERT_ENABLED) {
@@ -349,7 +358,12 @@ void LinkBuffer::copyCompactAndLinkCode(MacroAssembler& macroAssembler, JITCompi
 
     for (unsigned i = 0; i < jumpCount; ++i) {
         uint8_t* location = codeOutData + jumpsToLink[i].from();
-        uint8_t* target = codeOutData + jumpsToLink[i].to() - executableOffsetFor(jumpsToLink[i].to());
+#if CPU(ARM64)
+        const intptr_t to = jumpsToLink[i].to(&macroAssembler.m_assembler);
+#else
+        const intptr_t to = jumpsToLink[i].to();
+#endif
+        uint8_t* target = codeOutData + to - executableOffsetFor(to);
         if (useFastJITPermissions())
             MacroAssembler::link<memcpyWrapper>(jumpsToLink[i], outData + jumpsToLink[i].from(), location, target);
         else

Source/WTF/ChangeLog

@@ -1,3 +1,15 @@
+2020-10-15  Tadeu Zagallo  <[email protected]>
+
+        Sign MacroAssembler::jumpsToLink
+        https://bugs.webkit.org/show_bug.cgi?id=217774
+        <rdar://problem/69433058>
+
+        Reviewed by Saam Barati.
+
+        * wtf/PtrTag.h:
+        (WTF::untagInt):
+        (WTF::tagInt):
+
 2020-10-15  Tadeu Zagallo  <[email protected]>
 
         Add extra validation to MetaAllocator::findAndRemoveFreeSpace

Source/WTF/wtf/PtrTag.h

@@ -410,6 +410,13 @@ inline PtrType untagCFunctionPtr(PtrType ptr) { return untagCFunctionPtrImpl<Ptr
 
 #if CPU(ARM64E)
 
+template <typename IntType>
+inline IntType untagInt(IntType ptrInt, PtrTag tag)
+{
+    static_assert(sizeof(IntType) == sizeof(uintptr_t));
+    return bitwise_cast<IntType>(ptrauth_auth_data(bitwise_cast<void*>(ptrInt), ptrauth_key_process_dependent_data, tag));
+}
+
 template<typename T>
 inline T* tagArrayPtr(std::nullptr_t ptr, size_t length)
 {
@@ -459,7 +466,14 @@ inline PtrType untagCodePtrWithStackPointerForJITCall(PtrType ptr, const void* s
 template <PtrTag tag, typename IntType>
 inline IntType tagInt(IntType ptrInt)
 {
-    static_assert(sizeof(IntType) == sizeof(uintptr_t), "");
+    static_assert(sizeof(IntType) == sizeof(uintptr_t));
+    return bitwise_cast<IntType>(ptrauth_sign_unauthenticated(bitwise_cast<void*>(ptrInt), ptrauth_key_process_dependent_data, tag));
+}
+
+template <typename IntType>
+inline IntType tagInt(IntType ptrInt, PtrTag tag)
+{
+    static_assert(sizeof(IntType) == sizeof(uintptr_t));
     return bitwise_cast<IntType>(ptrauth_sign_unauthenticated(bitwise_cast<void*>(ptrInt), ptrauth_key_process_dependent_data, tag));
 }
 
@@ -519,6 +533,20 @@ inline IntType tagInt(IntType ptrInt)
     return ptrInt;
 }
 
+template <typename IntType>
+inline IntType tagInt(IntType ptrInt, PtrTag)
+{
+    static_assert(sizeof(IntType) == sizeof(uintptr_t));
+    return ptrInt;
+}
+
+template <typename IntType>
+inline IntType untagInt(IntType ptrInt, PtrTag)
+{
+    static_assert(sizeof(IntType) == sizeof(uintptr_t));
+    return ptrInt;
+}
+
 inline bool usesPointerTagging() { return false; }
 
 #define WTF_VTBL_FUNCPTR_PTRAUTH(discriminator)
@@ -553,6 +581,7 @@ using WTF::tagCFunction;
 using WTF::tagCFunctionPtr;
 using WTF::untagCFunctionPtr;
 using WTF::tagInt;
+using WTF::untagInt;
 
 using WTF::assertIsCFunctionPtr;
 using WTF::assertIsNullOrCFunctionPtr;